APT43 Group (North Korea) Espionage Operations Funded by Cybercrime

APT43 Group (North Korea) Espionage Operations Funded by Cybercrime
DOWNLOAD PDF

SUMMARY
Mandiant reported that APT43 (North Korea) has been targeting organizations in the U.S., Europe, Japan, and South Korea over the past five years. The Mandiant report points to a state-sponsored threat actor (high confidence) and that the threat actor belongs to the North Korean Reconnaissance General Bureau (medium confidence), North Korea’s primary foreign intelligence service.

TECHNICAL DETAILS
Mandiant believes the APT43 group is laundering stolen cryptocurrency through legal cloud mining services while also conducting on-going social engineering campaigns, creating false names and sock puppet relationships with targets.

The malware being used by APT43 is unique and not commonly used by other threat actors; including: Hangman backdoor, Pencildown, Pendown, Laptop, Venombite and tools like QuasarRAT, Amadey, and gh0st RAT.

Mandiant also added that APT43 targets groups involved in politics, business, manufacturing, think tanks, education, and research related to nuclear and geopolitical policies in the US, South Korea, and Japan.

INDICATORS OF COMPROMISE (IOCs)
Hashes:
982fc9ded34c85469269eacb1cb4ef26
e205ed81ccb99641dcc6c2799d32ef0584fa2175
557ff6c87c81a2d2348bd8d667ea8412a1a0a055f5e1ae91701c2954ca8a3fdb
de9a8c26049699dbbd5d334a8566d38d
47a32bc992e5d4613b3658b025ab913b0679232c
43c2d5122af50363c29879501776d907eaa568fa142d935f6c80e823d18223f5
144bd7fd423edc3965cb0161a8b82ab2
1087efbd004f65d226bf20a52f1dc0b3e756ff9e
2b78d5228737a38fa940e9ab19601747c68ed28e488696694648e3d70e53eb5a
cd83a51bec0396f4a0fd563ca9c929d7
f3b047e6eb3964deb047767fad52851c5601483f
fb7fb6dbaf568b568cd5e60ab537a42d5982949a5e577db53cc707012c7f20e3
33df74cbb60920d63fe677c6f90b63f9
539acd9145befd7e670fe826c248766f46f0d041
94aa827a514d7aa70c404ec326edaaad4b2b738ffaea5a66c0c9f246738df579
ebaf83302dc78d96d5993830430bd169
bc6cb78e20cb20285149d55563f6fdcf4aaafa58
5cbc07895d099ce39a3142025c557b7fac41d79914535ab7ffc2094809f12a4b
b846fa8bc3a55fa0490a807186a8ece9
c0c6b99796d732fa53402ff49fd241612a340229
855656bfecc359a1816437223c4a133359e73ecf45acda667610fbe7875ab3c8
f92a75b98249fa61cf62e8b63cb68fae
e5b312155289cdc6a80a041821fc82d2cca80bcd
d0971d098b0f8cf2187feeed3ce049930f19ec3379b141ec6a2f2871b1e90ff7
1dcd5afeccfe2040895686eefa0a9629
40826e2064b59b8b7b3e514b9ef2c1479ac3b038
07aed9fa864556753de0a664d22854167a3d898820bc92be46b1977c68b12b34
5fe4da6a1d82561a19711e564adc7589
e79527f7307c1dda62c42487163616b3e58d5028
8d0bafca8a8e8f3e4544f1822bc4bb08ceaa3c7192c9a92006b1eb500771ab53
e8da7fcdf0ca67b76f9a7967e240d223
b0c2312852d750c4bceb552def6985b8b800d3f3
9dac6553b89645ac8d9e0a3dc877d12641e6d05fb52e8de6ae5533b2bdf0abc9
2bf26702c6ecbd46f68138cdcd45c034
1b9a4c0a5615a4f96a041d771646c1a407b17577
38d1d8c3c4ec5ea17c3719af285247cb1d8879c7cf967e1be1197e60d42c01c5
2d330c354c14b39368876392d56fb18c
a1f72c890d0b920f4f4cb2d59df6fa40734de90d
f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8
15ec5c7125e6c74f740d6fc3376c130d
fb09b89803da071b7b7eb23244771c54d979a873
4a1c43258fe0e3b75afc4e020b904910c94d9ba08fc1e3f3a99d188b56675211

 

REFERENCES
https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report
https://www.bleepingcomputer.com/news/security/newly-exposed-apt43-hacking-group-targeting-us-orgs-since-2018/
https://thehackernews.com/2023/03/north-korean-apt43-group-uses.html

CONTACT US